Cyber Security for Financial Industry
-
Upload
talal-albacha -
Category
Technology
-
view
50 -
download
1
Transcript of Cyber Security for Financial Industry
Cyber Security for Financial IndustryTSAM London 2017 - Technology & Operational Strategy Forum
Talal Albacha
@talal_basha1982
Who is OWASP?Free & Open
Governed by rough
consensus & running
code
Abide by a code of
ethics (see ethics)
Not-for-profit
Not driven by
commercial
interests
Risk based approach
Mission
• Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks
AppSec
Visibility
Cycle
Audit
Developers
Infosec
Legal
Architects
Users
Research
Business
MonitorThreat
Create SecurityArchitecture
Define SecurityRequirements
Implement
Controls
Share
Findings
UnderstandLaws
Verify
Compliance
UnderstandStakeholders
Our Purpose & Our Core Values
OPEN: Everything at OWASP is radically transparent from our finances to our code.
INNOVATION: OWASP encourages and supports innovation/experiments for
solutions to software security challenges.
GLOBAL: Anyone around the world is encouraged to participate in the OWASP
community.
INTEGRITY: OWASP is an honest and truthful, vendor agnostic, global community.
Our Core Values
Our Purpose: The OWASP Foundation will be the thriving global community that drives visibility and evolution in the safety and security of the world’s software.
Cyber attacks on Financial Industry
https://www.theguardian.com/business/2016/dec/19/gchq-asked-to-step-up-action-against-cyber-attack-threat-to-financial-services
Cyber Threats
Cost of events involving different attack vectors
Source: NEW TECHNOLOGIES,NEW CYBERTHREATS - Kaspersky Lab Report 2017
New threats related to:
Big Data
Privacy issues…
IoT
“Smart” kettle, thermostat…
Ransomware
Data access restrictions
Machine Learning systems
Chat bots…
Two weeks of ethical hacking
Ten man-years of development
Business Logic Flaws
Code Flaws
Security Errors
Train and Engage Dev team on:1A1 – Verify for
Security Early and Often
A2 – ParameterizeQueries
A3 – Encode Data A4 – Validate All Inputs
A5 – Implement Identity and
Authentication Controls
A6 – ImplementAppropriate
Access Controls
A7 – Protect Data A8 – Implement Logging and
Intrusion Detection
A9 – Leverage Security
Frameworks and Libraries
A10 – Error and Exception Handling
OWASP Top Ten Proactive Controls